Ten years ago the internet looked very different than it does now. Today, web designers have more options and standards to make a website stand out. Do you recall when most sites used clashing colors, font types, and animated gifs? It seems that website spammers haven’t forgotten those days.
We often find spam hidden in more or less sophisticated ways, such as: hidden divs, negatively located iframes, and other similar conditions. Of course, security companies are always trying to detect such spam – and they are usually pretty successfully.
This past week I came across an entire piece of SEO spam that I thought was pretty clever. This is what it looked like:
At first glance, there doesn’t appear to be anything out of the ordinary with this piece of SPAM. It’s clearly what is known as Pharma Hack, meaning it is pharmaceutical spam campaign found on a number of infected websites. Our detection engines are designed to flag these types of issues so that our team can investigate their legitimacy (yes, Viagra websites do exist, and yes some do advertise for them).
In this case though, the various references to the word “viagra” weren’t flagged using our usual detection methods. I found this a bit peculiar, it’s pretty apparent that the page was infested with the word. This caught my attention, so I had to investigate. Turns out, this piece of spam could be pretty difficult to detect with some automated tools because of how it was injected.
Targeting the Eye Not the Infection
Often when we talk about SEO Spam, the target are search engines, things like Bing and Google Search Engine Result Pages (SERP). In this configuration it became apparent that was not the case. The attacker was targeting the reader, more than the engine, depending on what our eyes tell us.
What they were doing became apparent when I highlighted the words on the page.
If you don’t notice what they did, they appended additional words (and spaces) to the key words, then changed their font color to white to match the background color. To the bare eye, you wouldn’t know any better. The keywords appear to be appear to be intermixed with random letters and spaces, allowing the attacker to obfuscate the spam from detection engines.
I checked the source code and that’s the point where I really started to laugh:
This HTML code reminds me of one of my first websites. Nowadays, with CSS3 and HTML5 everywhere, this old way of coding websites is both sentimental and funny. That is, until you realize it’s a pretty elegant way to avoid detection, designed purely for visitors to see – not Google, not Yahoo, and not for detection engines.
While you, as a visitor, can clearly read the keywords – Viagra, Pharmacy, etc – for any tool using string-based detection the line reads differently – Vc it aa gx rs a, Pr hu ao rz my ah cp y – and so on.
The use of white text to hide keywords is an old trick from the early days of black hat SEO. Google makes it pretty clear now that you shouldn’t use white text unless you want to get blacklisted for spamming. Clearly these spammers don’t care what Google thinks. They just want victims to click on their pharmaceutical ads.
As usual, we found a way to detect the spam so our client’s websites are protected. As a reminder – if a trick is old, it doesn’t mean it’s obsolete.